Make the user creating a Wordpress (Developer Edition) site the 1st Administrator user
-
Every time I setup a Wordpress (Developer Edition) app website, I have to go through:
- Login with my LDAP to create my user
- Logout
- Login as admin/changeme
- Set my user as an Administrator
- Logout
- Login as my user
- Delete the default
adminuser.
It's not recommended to have a default
adminuser, anyway, to make one less known attack vector.If possible, creating the Cloudron User that creates the Wordpress (Developer Edition) as the 1st Wordpress User and Administrator would save those 7 steps above on each setup, and be a little better best-practice for security and named responsibility for each app.
Just a little quality of life request that I think is good for all.
-
I solved this by creating a
wp0"template" install that has all this and more completed, from which you clone every new site. Very handy. -
@robi Sorta, but then that needs to be maintained on each Cloudron
@marcusquinn you're right, which is another reason why it's so useful to have remote app import across cloudrons.
-
@marcusquinn another faster option is to change in the
wp_usermetatable of the database the initial meta_value of the meta_keywp_capabilitiestoa:1:{s:13:"administrator";b:1;}
With that, the user newly created by LDAP has administrator permissions. Just delete or modify the
user_loginadmin user in thewp_userstable to make it less vulnerable.Of course, sharing the same LDAP user and password in multiple applications is not a safe practice either
And finally, you can also create a small n8n workflow in which passing the appID of the WordPress installation in Cloudron, does all the work for you...
-
@marcusquinn another faster option is to change in the
wp_usermetatable of the database the initial meta_value of the meta_keywp_capabilitiestoa:1:{s:13:"administrator";b:1;}With that, the user newly created by LDAP has administrator permissions. Just delete or modify the
user_loginadmin user in thewp_userstable to make it less vulnerable.Of course, sharing the same LDAP user and password in multiple applications is not a safe practice either
And finally, you can also create a small n8n workflow in which passing the appID of the WordPress installation in Cloudron, does all the work for you...
@martinkbs Thanks. Yeah, appreciate that, but misses the time-saving for everyone benefit of solving it in the app build. I just can't think of any reason to have an admin/changeme user to start with, when the Cloudron user creating the app is the Admin that that wanted it, and they already have credentials to get as far as creating an app.
-
Every time I setup a Wordpress (Developer Edition) app website, I have to go through:
- Login with my LDAP to create my user
- Logout
- Login as admin/changeme
- Set my user as an Administrator
- Logout
- Login as my user
- Delete the default
adminuser.
It's not recommended to have a default
adminuser, anyway, to make one less known attack vector.If possible, creating the Cloudron User that creates the Wordpress (Developer Edition) as the 1st Wordpress User and Administrator would save those 7 steps above on each setup, and be a little better best-practice for security and named responsibility for each app.
Just a little quality of life request that I think is good for all.
@marcusquinn said in Make the user creating a Wordpress (Developer Edition) site the 1st Administrator user:
Every time I setup a Wordpress (Developer Edition) app website, I have to go through:
Login with my LDAP to create my user Logout Login as admin/changeme Set my user as an Administrator Logout Login as my user Delete the default admin user.Heh, yeah, same.
-
Unfortunately, the upstream LDAP plugin does not support this setup. It only supports setting the default role of LDAP user to admin for all users. We had this before but people said this is a security issue because it makes even normal Cloudron users admin...
-
Unfortunately, the upstream LDAP plugin does not support this setup. It only supports setting the default role of LDAP user to admin for all users. We had this before but people said this is a security issue because it makes even normal Cloudron users admin...
@girish I wonder if if could be done as changing the username of user 1 from
admintomycloudronusernameusing CLI:Then the password could be a random string, instead of
changeme, since the LDAP plugin should lookup the username from the WP table, and the auth for that username from the LDAP database if it doesn't match the local password.As far as I can tell with the LDAP plugin, each user has two passwords, the local one, and the LDAP one, and both work for the same username.
If this works as I hope/expect, then it also eliminates the window of time where there's a default password, not that I think that's a major risk, but it's a bit iffy.
Web Design https://www.evergreen.je
Development https://brandlight.org
Life https://marcusquinn.com -
@girish I wonder if if could be done as changing the username of user 1 from
admintomycloudronusernameusing CLI:Then the password could be a random string, instead of
changeme, since the LDAP plugin should lookup the username from the WP table, and the auth for that username from the LDAP database if it doesn't match the local password.As far as I can tell with the LDAP plugin, each user has two passwords, the local one, and the LDAP one, and both work for the same username.
If this works as I hope/expect, then it also eliminates the window of time where there's a default password, not that I think that's a major risk, but it's a bit iffy.
@marcusquinn said in Make the user creating a Wordpress (Developer Edition) site the 1st Administrator user:
mycloudronusername
The app currently doesn't know about Cloudron users and their usernames (until they login)
-
@marcusquinn said in Make the user creating a Wordpress (Developer Edition) site the 1st Administrator user:
mycloudronusername
The app currently doesn't know about Cloudron users and their usernames (until they login)
@girish but the package manifest does? And we know the default user is always
admin. Would something like this not work before declaring as Running?
$ wp user update admin --user=<cloudonusername> --display_name=<cloudrondisplayname> --user_email=<cloudronuseremail> --user_pass=<random> --first_name=<cloudronuserfirst_name> --last_name=<cloudronuserlast_name> --user_nicename=<cloudronuserfullname> -
@marcusquinn I use these commands, via Terminal MySQL Access:
//display active users select user_login, user_nicename, display_name from wp_users; //change user_nicename UPDATE wp_users SET user_nicename = 'myusername' WHERE user_nicename = 'admin'; //change user_login UPDATE wp_users SET user_login = 'myusername' WHERE user_login = 'admin'; //change display_name UPDATE wp_users SET display_name = 'myusername' WHERE display_name = 'admin'; //change user email UPDATE `wp_users` SET `user_email` = "myemail@email.com" WHERE `wp_users`.`user_login` = "myusername"; //change admin password UPDATE WORDPRESSDATABASE.wp_users SET user_pass = MD5('NEWPASSWORD') WHERE user_login = 'myusername';
